Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2016-3720 in com.fasterxml.jackson dependencies #1600

Closed
ajlanghorn opened this issue Jun 17, 2016 · 4 comments
Closed

CVE-2016-3720 in com.fasterxml.jackson dependencies #1600

ajlanghorn opened this issue Jun 17, 2016 · 4 comments
Assignees
@joschi
Labels
security
Milestone
0.9.3

Comments

@ajlanghorn
Copy link

When running the OWASP Dependency Check tool against a Dropwizard 0.9.2 installation, CVE-2016-3720 is raised thirteen times because of the fasterxml.jackson dependency:

jackson-annotations-2.6.0.jar (com.fasterxml.jackson.core:jackson-annotations:2.6.0, cpe:/a:fasterxml:jackson:2.6.0) : CVE-2016-3720
jackson-core-2.6.5.jar (com.fasterxml.jackson.core:jackson-core:2.6.5, cpe:/a:fasterxml:jackson:2.6.5) : CVE-2016-3720
jackson-databind-2.6.5.jar (com.fasterxml.jackson.core:jackson-databind:2.6.5, cpe:/a:fasterxml:jackson:2.6.5) : CVE-2016-3720
jackson-dataformat-yaml-2.6.3.jar (com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.6.3, cpe:/a:fasterxml:jackson:2.6.3) : CVE-2016-3720
jackson-datatype-guava-2.6.3.jar (com.fasterxml.jackson.datatype:jackson-datatype-guava:2.6.3, cpe:/a:fasterxml:jackson:2.6.3) : CVE-2016-3720
jackson-datatype-jdk7-2.6.3.jar (com.fasterxml.jackson.datatype:jackson-datatype-jdk7:2.6.3, cpe:/a:fasterxml:jackson:2.6.3) : CVE-2016-3720
jackson-datatype-jdk8-2.6.3.jar (com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.6.3, cpe:/a:fasterxml:jackson:2.6.3) : CVE-2016-3720
jackson-datatype-joda-2.6.3.jar (com.fasterxml.jackson.datatype:jackson-datatype-joda:2.6.3, cpe:/a:fasterxml:jackson:2.6.3) : CVE-2016-3720
jackson-datatype-jsr310-2.6.5.jar (com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.6.5, cpe:/a:fasterxml:jackson:2.6.5) : CVE-2016-3720
jackson-jaxrs-base-2.6.3.jar (com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:2.6.3, cpe:/a:fasterxml:jackson:2.6.3) : CVE-2016-3720
jackson-jaxrs-json-provider-2.6.3.jar (com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:2.6.3, cpe:/a:fasterxml:jackson:2.6.3) : CVE-2016-3720
jackson-module-afterburner-2.6.3.jar (com.fasterxml.jackson.module:jackson-module-afterburner:2.6.3, cpe:/a:fasterxml:jackson:2.6.3) : CVE-2016-3720
jackson-module-jaxb-annotations-2.6.3.jar (com.fasterxml.jackson.module:jackson-module-jaxb-annotations:2.6.3, cpe:/a:fasterxml:jackson:2.6.3) : CVE-2016-3720

We'd rather not patch the version in 0.9.2, especially when 1.0.0 has RCs out. It looks like 1.0.0-rc3 will pull FasterXML.Jackson's latest version, rather than pinning it, so we're hopeful this will provide a fix.
@joschi joschi self-assigned this Jun 17, 2016
@joschi joschi added this to the 0.9.3 milestone Jun 17, 2016
joschi added a commit that referenced this issue Jun 17, 2016
@joschi
Upgrade to Jackson 2.6.5
ec8a15c 
Closes #1600
@ajlanghorn
Copy link
Author

@joschi Thanks for the super-speedy work on this! So awesome. In ec8a15c, it looks like you upgraded the Jackson version to 2.6.7 but noted in the commit message and readme that you'd gone to 2.6.5. Was that intentional?

@joschi
Copy link
Member

joschi commented Jun 17, 2016

@ajlanghorn Argh, that was a typo. Thanks for spotting it!

joschi added a commit that referenced this issue Jun 17, 2016
@joschi
Upgrade to Jackson 2.6.7
f7f7321 
Closes #1600
@joschi joschi closed this as completed Jun 17, 2016
@ajlanghorn
Copy link
Author

@joschi Do you happen to have a date for a 0.9.3 release so we don't need to build from master? :)

@ajlanghorn
Copy link
Author

Oh, just noticed it's there!

@ajlanghorn ajlanghorn mentioned this issue Jun 27, 2016
Closed
@javixeneize javixeneize mentioned this issue May 30, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joschi joschi

Labels
security
Projects
None yet
Milestone
0.9.3
Development

No branches or pull requests
2 participants
@joschi @ajlanghorn